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CHARTER 1 
INTRODUCTION 

In this thesis we present the formal development in Coq of the 
depth first search algorithm and its application for finding 
strongly connected components. As the algorithms are well known[13. 
we devote this introductory chapter to the motivational aspects 
behind work such as ours and to some key ideas on which the Coq 
sytem is based. 

Formal programming methods are concerned with the application of 
logic in the specification, synthesis and verification of programs. 
The basic motivation for formal methods is that the strategy of 
'test a few cases and extrapolate’ is inadequate for the total 
elimination of program errors. Formal methods allow us synthesize 
programs that provably meet their specification. Application of 
constructive logic to program development is a major research area 
in formal methods. 

Coq is an implementation of the Calculus of Inductive Constructions 
under development at INRIA in Rocquencourt and at ENS in Lyon. The 
Coq system has three main features. The first main feature is its 
logical language. This language is an extension of the Calculus of 
Constructions with primitive inductive definitions. The next 
feature is its proof assistant for higher order logic which allows 
the development of verified mathematical proofs. The final and the 
most important feature, from a formal methods view point, is the 
program extractor which extracts programs from the constructive 
contents of proofs.. From a constructive proof of the statement 


(forall x>.<(P x)-><exist9 y>.{Q x y)> 

where <P x> and (Q x y> are of type Prop, the program extractor 

extracts a function f such that 

(forall x)(P x)->(Q x (f x>) is satisfied. 

Hence to develop a program in the Coq system, we prove, using the 
proof assistant, an existential statement relating the output value 
to the input arguments. 

1.1 Key Ideas Behind Coq 

In this section we briefly review the development of constructive 
logic, type theory, Curry-Howard Isomorphism and the various exten- 
sions of simply typed lambda calculus. 

1.1.1 Constructive logics and Curry-Howard Isomorphism 

The initial impetus for the development of constructive logic was 
provided by Brouwer's intui t ioni st ic approach to mathematics. In 
Brouwer's view, mathematical reasoning could only be safe (free of 
paradoxes) if based on finitistic proofs (proofs that does not 
require an infinite verification). Thus the fundamental intui- 
tionistic assumption about proofs is the decidability of (c proves 
C) for proofs c and statements C. 

An i ntu i t i on i st i c interpretation of logic based on modeling proofs 
of assertion was developed by Heyting in 19?0. An informal descrip- 
tion of Heyting's semantics is given belowC^D. 

a. For atomic sentences, we assume that we know intrinsically 


what a proof is. 


b. A proof of A/\B is a pair (p,q) consisting of a proof p of A 
and a proof q of B. 

c. A proof of A\/B is a pair <i,p) with 

i=0.and p is a proof of A 
i=l,and p is a proof of B 

d. A proof of A->B is a function which transforms a proof of A 

into a proof of B. 

e. In general, the negation ~A is treated as A->i!? where i s a 

sentence with no possible proof. 

f. A proof of (forall x).(A x> is a function which maps each 

object c of the domain of definition into a proof of (A c) . 

f. A proof of (exists x).(A x) is an object c of the domain of 

definition and a proof of (A c>. 

A consequence of this proof interpretation is that A\/'“A is is not 
provable, since it is not possible in general to find either a fin- 
ite proof of A or a finite proof of '“A. 

Heyting's semantics provide the basis for Curry-Howard Isomorphism. 
The main motivation for Curry-Howard Isomorphism is the development 
of a language of proofs and assertions suitable for the above proof 
interpretation of logic. Church in 19JZ had modeled proofs and 
assertions of classical logic using lambda calculus. This formali- 
zation of logic was proved inconsistent since a version of 
Russell’s paradox created a contradictionC6] . 


In 1908, Russell identified in the lack of pred i cat i v i ty the 
essence of paradoxes in mathematical foundations. For the resolu- 
tion of paradoxes, Russell introduced type theory by postulating a 
stratification of the mathematical universe. 

The two main assumptions of Russell’s type theory are 

a. Functions differ from individuals. In particular functions of 
functions, etc result in a stratification of functions. A key 
result of this assumption is that a function cannot be applied 
to itself. An example by Stoy for the paradox that results 
from self application of functions is given below. 

let f = Cy]. If (y y> = a then b else a. Now the attempt to 
evaluate <f f> results in the contradiction 
If (f f) = a then b else a. 

b. A description of a leveKn) object is a level<n+l> object. 
The paradox that results from allowing descriptions to talk 
about themselves is nicely illustrated by "the smallest 
integer whose description requires more than ten words"C83. 
Since for Russell, the range of significance of a proposi- 
tional function is a type, this assumption results in a 
hierarchy of higher order types. 

Based on assumption (a) of Russell's theory of types. Church in 
1940 introduced the first version of explicitly typed lambda cal- 
culus, the simply typed lambda calculus. This explicitly typed 
lambda calculus can be extended in many ways. Now the essence of 
Curry-Howard iscwnorphism is that the simply typed lambda calculus 



and many of its extensions provide the right medium to formalize 
the proof interpretation for various constructive logics, if terms 
are seen as proofs and types of terms are seen as the assertion 
which they prove. 

We now briefly illustrate the Curry-Howard Isomorphism between pro- 
positions of minimal propositional logic and types of simply typed 
lambda calculusCA]. 

A type environment Q is a list xl : A1 , . . . , xn : An of type declarations 
such that xi’s are distinct identifiers. Now the derivation rule 
(l-> for simply typed lambda calculus can be formalized by 

a. Q I- x:A if the type environment Q assigns the type A to iden- 
tifier X . 

b. If Q.x:A is a type environment then 
Q I- Cx].M : A->B if Q.XrA I- M;B 

c. If Q I- M .• A->B and Q I- N : A then <M N) : B. 

The set F of formulas of minimal propositional logic is the closure 
of a base set B of propositions under implication. The entailment 
relation <l-> between subsets and elements , of F is axiomatized by 

a. HI- A if A belongs to H, where H is a subset of F. 

b. H I- A->B if <H U CA}) I- B 

c. If H 1^ A -s> B and H I- A then H I- B. 

What we need now is a notation to code the proof steps required to 
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prove H I- A. For this purpose we identify propositions with types. 
Let Q be the type environment obtained by distinctly marking the 
hypotheses in H. Now if Q marks A by the identifier x, then x is a 
proof of A. If M is a proof of B in the environment Q.xsA then 
CxD.M is a proof of A->B in the environment Q. Finally, if in the 
environment Q, M is a proof of A->B and N is a proof of A, then 
<MN) is a proof of B in Q. Thus we can easily code the proof steps 
corresponding to the three entailment inference rules using simply 
typed lambda calculus. Hence by induction if Q I- MsA then the 
lambda term M formalizes the proof steps required to prove H I- A. 

1.1.2 Clattif icaition of Explicitly Typed Systems 

BarendregtC 53 has proposed a classification of the extensions of 
simply typed lambda calculus based on the four basic functional 
dependencies : terms dependent on terms, terms dependent on types, 
types dependent on types and’ types dependent on terms. The depen- 
dency .'terms dependent on terms’ characterizes the functions in 
simply typed calculus. Basic idea behind this characterization is 
that if f is a function in simply typed lambda calculus then (f x> 
is a term depending on the term x. 

In simply typed lambda calculus, to express essentially identical 
functions on different types, different functions must be written. 
Thus Cx:A3.x of type A->A is an identity function for type A while 
Cx:B3.x of type B->B is an identity function for type B. A solution 
to this redundancy is to abstract types over terms to get 
polymorphic functions. Thus CA3CxsA3x is a function that takes as 
input a type B and returns the identity function [x:B3x for type B. 



7 


We can characterize polymorphic functions by the dependency 'terms 
dependent on types' since for a polymorphic function f, <f A) is a 
term that depends on type A. Now the question is what is the type 
of a polymorphic function. Since a polymorphic function takes as 
input a type and returns a term, we need a notation other than -> 
to indicate its type. We use (> to bind a type variable in the type 
of a polymorphic function. Thus (A)A->A, read as (forall A)A->A, is 
the type of a polymorphic function. Extension of simply typed 
lambda calculus with terms dependent on types gives us the 
polymorphic lambda calculus(F). 

In polymorphic lambda calculus (F> , we can represent the type of a 
list with elements of type A by <X)X-><A->X->X>->X. However to 
represent the type of a list with elements of type B, we have to 
repeat the above definition substituting A by B. To remove this 
redundancy we extend the .polymorphic lambda calculus <F) with 
abstraction of types over types. Thus the function [A] <X)X->(A->X- 
>X>->X takes as input a type B and returns the type of a list ele- 
ments of type B. Hence we can characterize this abstraction of 
types over types by the dependency 'types dependent on types* since 
the abstraction results in a function f such that (f A) is a type 
that depends on the type A. 

To keep these 'types dependent on types' free of paradoxes we need 
a notion of type of type expressions. We call the type of types 
kinds. The constant kind * is the kind of types of terms. Thus the 
type of a type expression that takes as input a type of type * and 
returns a type of type * is *->♦, the type of a type expression 
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that takes as input a type of type ■*->* and returns a type of type 

* is <*->*>->*. and so on. This results in a hierarchy of higher 
order types given by 

K = * I K -> K. Thus the type A->A of the identity function for 
type A is of type *. Similarly the type <A)A->A, which can now be 
more precisely represented as (A!*)A->A, is the type of the 
polymorphic identity function, and hence is of type *. We can have 
the even more polymorphic identity function, 

[A;*->*]CB:*3[x: (A B>].X . 

This term of type *, takes as inputs a function from type ♦ to type 

* and a type B and returns an identity function for type (A B) . 

For eg, given as inputs the list type constructor 
CA3(X>X->(A->X-»<>->X> and a type B of type 

the even more polymorphic function returns the identity function 
for lists with elements of type B.This example also illustrates the 
abstraction of a type A of kind *->■* in a type dependent lambda 
term of type *. Similarly, it is also possible to abstract types of 
any kind in a lambda term. 

The critical difference between CA:*3A->A and <Aj*>A->A is that 
CA!*]A->A is a type function and has no term of that type, while 
(A;*)A->A is the type of the polymorphic identity function. 

The lambda calculus obtained by extending the polymorphic lambda 
calculus (F> with 'types dependent on types' is called Fw. 

For SI Curry-Howard I sdmorphifro suitable for the pirdof interpreta- 
tion of predicate calculusi, we require the notion of types depen- 
dent on terms. For this we extend the notion of kinds such that if 
A is a type and k is a kind then A->k is a kind. 
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In particular, A->* is a kind. Thus for eg, if P:A->* and x : A 

then (P x);* is a type that depends on a term <x) . Now by Curry- 

Howard Isomorphism a term f of type (x;A)(P x> can be seen as a 

proof of (forall x>.(P x> since for any x, <f x) is a proof of <P 

x>. Similarly a term g of type <x:A)(P x>->B can be seen as a proof 

of (exists x>.(P x>->B since given a term c such that h is a proof 

of (P c), <g c h) is a proof of B. Given proofs of (exists x>.(P x> 

and ((exists x> . (P x)->C) we should be able to prove C. Thus the 

proof of (exists x>.(P x) should be a function that takes as inputs 

a proposition C, a proof of (exists x).(P x)->C and return a proof 

of C. Hence we can define (exists x>.(P x> as 

(C : *>((x : A>((P x)->C)>->C. The difference between 

((x ; A)(P x))->C and (x : A) (P . x>->C is crucial in this respect. A 

term of type ((x:A)(P x>>->C is a proof of ((forall x>.<P x>)->C 

while a term of type (xsA>(P x)->C is a proof of 

(exists x>.(P x)->C. Similarly we can define 

A /\ B by (C : *>((A->C)->(B->C)->C>->C and 

A\/B by (C : *) ( A->B->C> ->C . Thus /\ can be defined as 

[A:*3[B:*3(C : *> ( ( A->C ) ->(B,->C ) ->C > ->C 

and \/ can be defined as 

CA;*3CB;*J(C : *) ( A->B->C> ->C . 

The extension of Fw with 'types dependent on terms' gives us the 
various versions of Calculus of Constructions. The first version of 
the Calculus of Construct ions ,CoC. was presented bt T.Coquand in 
1985. This logical system allowed powerful axiomatizations, but 
direct inductive definitions were not possible and induction prin- 
ciples are not provable. The formalism was extended in 1989 by 
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Coquand and Paulin with primitive inductive definitions, leading to 
the current Calculus of Inductive Constructions. 

1.2 Outline of Thttit 

The organization of the; rest of the chapters is as follows. 

Chapter 2. Program. Deve lopment 

This chapter is the main chapter. It discusses the development 
of depth first search and its application for finding strongly 
connected components. 

Chapter ?. Program Extraction 

This chapter discusses the realization of axioms and program 
extraction in Coqe Real i zat i on of the two axioms necessary for 
extraction of depth first search and strongly connected com- 
ponents algorithm is also described. 

Chapter 4. Conclusion 

APPENDIX 

The appendix contains an overview of the current implementa- 
tion <Coq> of the Calculus of Inductive Constructions. 
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CHAPTER Z. 

PROGRAM DEVELOPMENT 

This chapter presents the formal development in Coq of the depth 
first search algorithm and its application for finding strongly 
connected components. This chapter is divided into three main sec- 
tions. The section one describes the graph representation used and 
develops the basic graph manipulation functions. Section two 
describes the formal development of depth first search algorithm. 
Section three describes the development of the depth first search 
algorithm for finding strongly connected components in a directed 
graph . 

2.1 Basic Dafinitions and Lammas 

2.1.1 Vertices and Vertex Lists 

We declare the -type V of vertices by 
Parameter V : Set. 

For checking the equality of vertices, we assume 
Axiom eqV : <x,y : V> f <V>x=y>+{~<V>x=yl . 

The inductive set of vertex lists is defined by 
Inductive Set list = nil ; list I cons ; V -> list -> list 

2.1.2 List Membership 

We now define a function to test the membership of a vertex in a 


list. 
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Definition occurs_in. 

Body [1 : listDCx ; VI (<Prop>Match 1 with 

False 

Ca : VDCm : listlCP : Prop! 
(<V>x=a> \/ P>. 


The properties of occurs_in which we prove, for example, include 

a. for any list 1 and any vertex v, either (occurs_in 1 v) or 
~<occurs in 1 v> holds 


b. a vertex occurs in a list 1 or a list m iff it occurs in the 
list obtained by appending m to 1 

c. a vertex cannot occur in an empty list. 

2.1.3 Removal of a Vertex from a List 

For any vertex x, lists 1 and lx, Crm_V_list x 1 lx) iff lx is the 
list obtained by removing all copies of x from 1. 


Inductive Definition 
n i l_rm_V__l i st ; 

I cons rm V listl : 


I cons rm V 1 i st2 : 


rm_V__l i stCx : V] ,* 1 i st->l i st->Prop = 
< rm_V_l i s t x nil nil) 

(y : V)<1 : list)<m : list) 
<rm_V_list X 1 m)-><~(<V>x=y) )-> 
<rm_V__list x (cons y 1) (cons y m) ) 
( 1 ! 1 i st > (m : list) 

(rm_V_list X 1 m)-> 

(rm V list x (cons x 1) m) . 


The rm_V_list lemmas which we prove are 


a. for any vertex x and any list 1, there exists a list lx such 
that (rm V list x 1 lx) holds 


b. 


if (rm V list x 1 lx) then x does not occur in 1 
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c. if (rm__V_list x 1 lx) and <~<V>x=y) and y occurs in 1 then y 
occurs in lx. 

2.1.4 Graph Otfinttion 

In this thesis we consider only directed graphs. The representa- 
tion we use for graph is 

Inductive Definition graf : Set = 
nil_graf : graf 

I cons_graf : V-> 1 i st->graf->graf . 

In this graph representation, we assume that 

a. if a vertex has more than one edge list, the outermost edge 
list of that vertex in the graph representation is its true 
edge list. 

b. edge list of a vertex which has no edge list of its own is 
assumed to be nil. 

The reason for assumption <b) is that a vertex can occur in an edge 
list without having an edge list of its own. For depth first search 
related algorithms, this assumption is satisfactory. This assump- 
tion can be changed to a stronger assumption that if a vertex has 
no edge list of its own and it occurs in some edge list then its 
edge list is nil else it has no edge list. Disadvantage of this 
stronger assumption is an increase in runtime requirement but it 
has the advantage of distinguishing vertices present in a graph 
from other vertices. 
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2.1.5 Edgt Utt of o vtrtix 

In accordance with the assumptions given in the previous section, 
we define an inductive ternary relation edges_f rom_i n . For any 
graph G and vertex x, (edges__f rom_in x G 1> iff 1 is the edge list 
of X in G. 


Inductive Definition edges_from_inCvl ; V] : graf-> 1 i st->Prop = 
edges_f rom_n i 1 : <edges__f rom_i n vl nil___graf nil) 

I edges_f roTO_i n_l : .(v2 : V)<11 : grafXtl ; list) 

<t2 ; list) (edges_from_in vl 11 tl)-><<V>vl = v2) -> 
<edges_f rom_i n vl <cons_graf v2 t2 11) t2) 

I edges_f rom_in_2 ; (v2 -■ VXll ; grafXtl : list) 

(t2 : 1 i st ) ( edges_f rom_i n vl 11 tl)-><''<V>vl = v2) -> 

< edges_f rom_i n vl <cons_graf v2 t2 11) tl). 


The edges_f rom_i n lemmas which we prove are 


a. for any vertex v and graph G, there exists a list 1 such that 
(edges_f rom_in x G 1) holds. 


b. edge list of a vertex in a graph is unique 


2.1.6 Edge Oofinition 


In a graph G, there is an edge from vertex x to vertex y iff y 
occurs in the edge list of x. Me use this fact in the definition of 
the relation edge. 


Inductive Definition edgeCG: graf ; x , y ; s Prop = 
edge_intro : <1 ; 1 istXedges_from_in x G l)-> 
<occurs__in 1 y)->(edge G x y). 


The lemmas related to edge property which we prove are 
a. there exists no edge between two vertices in a nil_graf 
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b. the inversion of edge definition, i.e., if there is an edge 
from X to y in a graph G, then y occurs in the edge list of x-. 

c. for any graph G, vertices x.y. and z, and list 1, if (~<V>x=y) 
then there is an edge from vertex y to vertex z in the graph 
<cons_graf x 1 G> iff (edge G y z) . 

d. for any graph G, and vertices x and y, either (edge G x y> or 
““(edge G x y) holds. 

2.1.7 Addition of an Edge to a Graph 

If the edge list of a vertex x in a graph G is 1. then by assump- 
tion (a> in the graph definition, (cons_graf x (cons y 1) G> is one 
of the many possible representations of the graph resulting from 
the addition of an edge, from x to y in graph G. We use this 

representation to define the relation cons_edge_graf . The proposi- 

tion (cons_edge_graf G x y Gxy) holds if Gxy is the graph resulting 
from the addition of an edge from x to y in graph G. 

Inductive Definition cons_edge__grafEGsgraf ;x.y:V]!graf->Prop = 
cons_edge__graf_intro : (I : . 1 ist) (edges__from_in x G l)-> 
(cons_edge__graf Gxy (cons__graf x (cons y 1) G)>. 

The lemmas related to cona__edge_graph which we prove are that for 

any graphs G and Gxy, and vertices x, y, p, and q 

a. for any graph G and vertices x and y, there exists a graph Gxy 
such that (cons_edge__graph Gxy Gxy> holds. 

b. if (cons edge__graf G x y Gxy) then (edge Gxy, x y) . 
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c. if ( cons_edge_graf G x y Gxy) and (edge G p q) then (edge Gxy 
P q) . 

2.1.8 Compotition of Two Grmpht 

By composition of two graphs Ga and Gb, we mean the graph Gab 
obtained by the additions of edge in Gb to Ga . We characterize the 
composition of two graphs by the ternary relation union_graf. The 
definition of union_graf uses the assumption (a) of the graph 
definition. 

Inductive Definition union_graf CG:graf 3 : graf->graf ->Prop = 
ni l_union_graf : (union_graf G nil_graf G) 

I cons_un i on_graf : (x : V)(la : list>(lb : list) 

(Gb ; graf)(Gc ; graf) 

(union_graf G Gb Gc) ->(edges_f rom_i n x G la>-> 

(union_graf G (cons_graf x lb Gb) 

(cons_graf x (app la lb) Gc)). 

The lemmas related to union_graf which we prove are 

a For any graphs Ga and Gb. there exists a graph Gab such that 
(union__graf Ga Gb Gab) holds. 

b For any graphs Ga. Gb. and Gab, and vertices x and y. if 
(union_graf Ga Gb Gab) then (edge Gab x y) iff either (edge Ga 
X y) or (edge Gb x y>. 

2.1.9 Removal of a Vertex from a Graph 

For any graphs G, and Gx, and vertex x, the relation (rm__V__graf x G 
Gx) holds if Gx is the graph obtained by removing the edge list of 
X and also v from al I other edge lists of the graph G. 



17 


Inductive Definition rm_V_graf Cx : V] : graf ->graf->Prop = 
n i l_rm__V__graf : (rm_V__graf x nil_graf nil_graf> 

I conB_rm_V_graf 1 : (Ga : grafXGb ; graf) 

<1 : 1 i st ) ( rnn_V_graf x Ga Gb>-> 

(rm_V_graf x <cons__graf x 1 Ga> Gb> 

I con3_rm_V_graf2 : <y : VXGa : grafXGb : graf) 

(la ; list) (lb : 1 i St ) ( rm_V_l i St x la lb)-> 

( ~ ( <V>x = y ) ) -> ( rm__V__graf x Ga Gb)-> 

frm_V__gra;f x (cons^graf y la Ga) (cons_graf y lb Gb)). 
The lemmas of the property rm_V_graf which we prove are 


a. for any vertex x and graph G there exists graph Gx such that 
(rm_V_graf x G Gx) holds. 


b. if (rm_V_graf x G Gx) then there is no edge from x or to x in 
graph Gx. 


2.1,10 Tha 'Sat pair^dft and its Projaction Functions 


We end this section with the definition of pair_dfs. A term of type 
pair_dfs has three components, two graphs and a list. The set 
pair_dfs should not be confused with a pair type since it has actu- 
ally three components. We also define the three destructors 
pd_grafa. pd_^grafb and pd_list to access the three components. 

Inductive Definition pair_dfs : Set = 

pai r__df s__intro : (ga.gb : graf XI : 1 i st >pai r_df s . 

Definition pd__grafa. 

Body Cd : pa i r^df s 3 ( <graf >Match d with 

Cga ; graflCgb : grafDCl s list3ga>. 

Definition pd_grafb. 

Body Cd : pai r_df s3 ( <graf >Match d with 

, Cga : graf3Cgb s graf3Cl : list3gb>. 

Definition pd^list. 

Body Cd : pai.r_df 83(< 1 i st>Match d with 

Cga : graf3Cgb : graf3Cl : list31>. 
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2.2 Development of Depth First Search 
2.2.1 Depth First Search Algorithm 

A depth first search (dfs_fn> call takes as input a graph(G). a 
start vertex (start). a list of vertices (v__list>. and a list 
(list_out) of vertices reached so far. It returns as output a term 
p_out of type pair_dfs whose components are a graph <G_out) of ver- 
tices not yet reached, a graph <tree_out) which is the depth first 
search tree of vertices reached in the current call, and a new list 
(list out) of vertices reached so far. 


define dfs_fn (G, start , v_l i st , 1 i st_out ) 

C 

let G_out = the graph resulting from the removal of 

start from G 

let tree_out = nil_graf 

let list_out = (cons start list_out) 

(♦ the above initialization steps form the basis of*) 

(* init_dfs in the definition of dfs relation *) 
for each v in v_list do 
f 


if V occurs_in list_out 

then C> (*then part forms the basis’ for cons__dfsa*) 
else 


C 

let 1 = edge list of v in G_out 

let p = dfs_fn (G_out v 1 list_out) 

G__out » (pd__.grafa p) 

tree_out = graph resulting from the addition of 
an edge from start to v to the union 
of graphs tree__out and (pd_grafb p) 
list_out = (pd__iist p) 

} (*else part forms the basis for cons__^df sb*) 

'V . ■ ... , ■, . ■ 

return (pair^dfs intro G out tree__out list__out) 


In the above algorithm G_out and list_out are better seen as 'tail 
recursive* variables - which is not the case for tree_out. Now the 
depth first search tree rooted at start in graph G is (pd_grafa 
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(dfs_fn (G start v__list nil))) if edge list of vertex v in graph G 
is v_ijst. To find the depth first search forest for a graph G, 
call <pd__grafa <dfs_fn (G start v_list nil))) where start is a ver- 
tex not in graph G, and v_list is the list of all vertices in graph 
G. 

2.2.2 The dfs Relation 

s 

We now give the inductive definition (dfs) of the relationship that 
should hold between the arguments and the result term of the dfs_fn 
given above. 


Inductive Definition df s : graf ->V-> 1 i st-> 1 i st-> 

pai r___dfs->Set = 

init_dfs ; (gin, gout ; graf)(vert ; VXQlin : list) 

< rm_V__graf vert gin gout)-> 

(dfs gin vert nil Qlin 

(pai r_dfs_intro gout nil_graf (cons vert Qlin))) 

I cons_dfsa ; (gin : graf ) (verta, vertb : V)(Qlin ; list) 
(1: listXp ! pai r_df s ) (df s gin verta 1 Qlin p)-> 
(occurs_in (pd^list p) vertb)-> 

(dfs gin verta (cons vertb 1) Qlin p) 

I cons__dfsb ; (gin.Qgab.Qgc ; graf Xverta, vertb ; V) 

(Qlin ! listXla.lb : list)(pa',pb : pair_dfs) 

(dfs gin verta la Qlin pa)-> 

(~(occurs_in (pd_list pa) vertb))-> 

(edges__f rom_in vertb (pd_grafa pa) lb)-> 

(dfs (pd_grafa pa) vertb. lb (pd_list pa) pb)-> 
(union_graf (pd__grafb pa) (pd_grafb pb) Qgab)-> 
(cons_edge_graf Qgab verta vertb Qgc)-> 

(dfs gin verta (cons vertb la) Qlin 

(pai r__dfs__intro (pd__grafa pb) Qgc (pd__list pb))). 


2.2.5 Wall Founded Induction for Graphs 

We need a weH_founded induction rule for graphs. For this purpose 
we define a subgraph relationship for graphs. If from a graph G, a 
vertex v with non nil edge list is removed to get a graph Gv . then 

Gv is a proper subgraph of G. Deleting any vertex from any proper 

1 
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subgraph of G results in further subgraphs of G. By this defini- 
tion, a graph in which all edge lists are nil does not have any 
proper subgraph. We also prove the transitive property of subgraph 
relation. 

Inductive Definition subgrafCG : grafj :graf->Prop = 
subgraf^^i ntroa : (Gs : grafXx s VXl ; list) 

( edges_f rom__i n x G 1 > -> < ~< 1 i st>n i 1 = 1 ) -> 

(rnn_V_graf x G Gs)->(subgraf G Gs) 

I subgraf_i ntrob : <Gs,Gss : grafXx : V) 

(subgraf G Gs ) -> < rm_V_graf x Gs Gss)-> 

( subgraf G Gss ) . 

Our well founded induction rule now states that if a statement is 
true for all subgraphs of a graph implies that it is true for that 
graph also, then that statement holds for all graphs. If we are to 
use this induction principle to prove a statement for all graphs, 
then that statement, in the base case, must hold for all graphs 
with nil edge lists. Graphs with nil edge lists are nil_graf and 
all graphs (cons v nil G> such that v is any vertex and G a graph 
with nil edge lists. 

We use the variable well_founded and the axiom of 
we 1 l_f ounded_recurs i on given in merge__l i st . v in Coq documentation. 
To use the axiom of well_founded recursion for graphs we assume the 
axiom graf_wf. 

Variable wel l__fbunded : <A:Set ) <A->A->Prop)->Prop. 

Axiom we H__f ounded__recurs i on : (A;Set><R:A->A->Prop) 

(we 1 l_f ounded A R)->(P:A->Set) 

(a:A) ((b:A)((csA)(R c b)->(P c))->(P b)> -XP a). 

Axiom graf__wfj(A : Set ) (f s A->graf > 

(well founded A [al ,a2: AD (subgraf (f a2)(f al))). 
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For any Set type A, (we 1 l__founded A R) holds if R is a relation 
which defines the well_founded ordering for terms of type A. Our 
assumption graf__wf states that for any Set type A, and function f 
from A to graph. <we 1 l_f ounded A graf_pred) holds, where 
<graf_pred x y) means <f y) is a subgraph of (f x) . Axiom 
we 1 i_f ounded_recurs i on defines a weil_founded induction rule for 
every (we 1 l_f ounded A R) . Our axiom of graf_wf is very general. For 
the proofs that follow, we need only 
(well-founded graf Cx . y : graf 3 (subgraf y x) ) . 

Hence to specialize graf__wf , we define an identity function for 
graphs. 

Definition id_graf. 

Body [a ; graf 3a : graf->graf. 

2.2.4 Statement and Proof of Main Goal 

Now our main goal is to prove that for any graph G and vertex v, if 
edges from v in G is 1. then there exists p of type pair__dfs such 
that (dfs G X 1 nil p) holds. For this purpose we define a relation 

I 

dfs_spec and state the goal based on dfs_spec. The motivation for 
dfs_spec is that it helps us to hide irrelevant details, like 
existence of 1 such that (edges_from_in x G 1), from the goal. Pur- 
pose of this hiding is that program extracted from the proof of our 
goal will find such an 1 instead of 1 also being an input to the 
program. (Wehave to prove the existence of such an 1 with in the 
proof of our goal 

Inductive Definition dfs_specCG:graf {X:V;p;pair_dfs3:Prop = 
dfS— spec_intra .• (1 : 1 ist) (edges_^f rom_in x G l)-> 

(dfs G X 1 nil p)->(dfS— spec G x p>. 
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Goal (G : graf)(x : V> 

{p : pair_dfs I (dfs_spec G x P>J. 

To prove the above goal, we prove the following lemma. 

Goal (gin : graf)<x ; V)<1 : listXQlin : list) 

( edges_f rom_i n x gin 1 >-><~<l ist>ni 1 = 1 )-•> 

(exist_sp pair_dfs 
Cp: pa i r_df s] <df s gin x 1 Qlin p> 

Cp : pa i r_df s 3 ( subgraf gin (pd__grafa p))>. 

This lemma states that for any graph gin and vertex x, if edges 
from X in gin is 1 such that 1 is not nil then for any list Qlin 
there exists p of type pair_dfs such that (dfs gin x 1 Qlin p) and 
(subgraf gin (pd_grafa p)) holds. Qlin is informally the list of 
vertices already reached. The motivation for the lemma is that we 
have to prove by well founded induction and only removal of a ver- 
tex with non nil edge list gives a subgraph. The induction outline 
is informally as follows. We remove the start vertex v to get the 

graph of vertices not yet reached(g out). The graph g out is proved 

to be a proper subgraph of gin. Then for each vertex vl in 1 we 
prove that either case (a) or case <b) given below holds. 

a. if edges from yl in g__out is nil then we remove vl to get the 
new g__out. We use the property that the old g_out is a proper 
subgraph of gin to prove that new g__out is a proper subgraph 
of gin. (Removal of any vertex from a proper subgraph gives 
another subgraph.) 

b. if edges from vl in g_out is not nil, then we prove that g_out 
returned by the recursive call is a proper subgraph of gin. 
The new g__out is a proper subgraph of old g_out by induction 
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hypothesis and old g_out we have already proved is a proper 
subgraph of gin. Thus transitive property of subgraphs give us 
the required proof. 

The lemma goal statement above had used a relation exist sp to 

state the existence of term p of type pair_dfs such that (P p) and 
(Q p> holds, where P is of type pa i r__df s->Prop and Q of type 
pa i r_df s->Set . We now give the definition of exist_sp. 

Inductive Definition ex i st_sp[A : Set ; P: A->Set ; Q : A->Prop3 : Se t= 
ex i st_sp_intro : <x : A)(P x)-><Q x)-><exist_sp A P Q) . 

The proof of our main goal now follows easily. We prove separately 
the case where edge list of x in G is nil. For the case when edge 
list is not nil we use the lemma proved above. 

2.3 Otpth First Starch for Strongly Conntctod Compontntt 

2.3.1 Oaf i nit ions and Lammas 

We define a predicate min. For any nl , n2, and n3 of type nat , (min 
nl n2 n3> stands for the statement that n3 is the minimum of nl and 
n2. We prove that for any nl and n2 there exists n3 of type nat 
such that (min nl n2 n3> holds. 

Inductive Definition min[x.y : nat] : nat-> Prop = 
min__le : (le x y)->(min x y x) 

I min_gt s (gt x y)->(min x y y>. 

We also prove that, for any nl and n2 of type nat either nl is 
equal to n2 or nl is not equal to n2. 


We define a new Set type 11, the type of list of list of vertices. 
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This type is necessary to represent a collection of strongly con- 
nected components. 

Inductive Definition 11 : Set = 
nil_ll ! 11 

I cons_l 1 : list -> 11 -> 11 ; 

We now define the relation rm_l_l . For any lists la, lb, and Ic 
13^ It) lc> holds if Ic is the list obtained by removing ver- 
tices in la from lb. For a given la and lb, we also prove the 
existence of such an Ic. 

Inductive Definition rm_l_l [ I ; 1 i st3 : 1 i st-> 1 i st->Prop = 
rm_l_l_nil : (rm_l_l 1 nil nil) 

I rm_l_l_consa • (la, lb : listXv ; VXrrn 1_1 1 la lb>-> 

(occurs_^in 1 v)->(rm_l_l 1 (cons v la) lb) 

I rm_l_l_consb ; (la, lb : listXv .- V)(rm_l_l 1 la lb)-> 

(~(occurs_in 1 v))->(rm_l_l 1 (cons v la) (cons v lb)). 

2.3.2 Oapth First Numbtr and Assoc iattd Osfinitions 

Depth first search for strongly connected components (dfs__scc) 
requires depth first numbering of vertices. The dfs algorithm 
always keep track of vertices reached so far in a list, in the 
order in which vertices where reached. Hence if we see this list as 
a stack, then the height of a vertex in the stack gives its depth 
first search number. We now define a relation depth such that (dfs 
X 1 natl nat2) holds if natl is the size of list 1 and nat2 the 
height of vertex x when I is seen as a stack. We also define a 
relation depth;_Spec, such that <depth_spec x 1 nat2) holds if there 
exists natl such that (depth x 1 natl nat2) holds. The definition 
of depth_spec helps uS to hide natl from bur goal, which is to 
prove that there exists nat2 such that it is the depth of x in 1. 



25 


Inductive Definition depthCx : V] : 1 i st->nat->nat->Prop = 
depth_nil : (depth x nil 0 0> 

I depth_consa : (1 : listXm.n : nat) 

(depth X 1 rt» n)-> 

(depth X (cons x 1> (S m) (S m) > 

I depth_consb : (1 ; listXv : VXm.n : nat) 

(depth X 1 m n>->(~<V>x=v>-> 

(depth X (cons v 1) (S m) n). 

Inductive Definition depth__spect x ; V ; 1 : 1 i st 3 : nat->Set = 
depth_spec_intro ; (m,n ; natXdepth x 1 m n>-> 

(depth_spec x 1 n>. 


The depth_min_fn algorithm is informally given below. The dfs_list 
argument in the algorithm should be seen as a stack of vertices 
reached so far in the process of depth first search. The basic aim 
of the algorithm is to return the minimum value among default value 
and the depth of vertices of 1 (that occurs in check_list) in 
df s list. 


define depth_min_fn (check_list : list; default : nat; 

dfs_list : list; 1 : list) 

C 

let return__num — default 
for each v in 1 do 
C 

if V occurs in check_list 

then return_num = minimum of return_num and 

depth of V in dfs_list 

else C} 

> 

return (return num) 

}. 


We now give the inductive definition (depth__min> of the relation- 
ship that should hold between the arguments and the result term of 
depth_min_fn. We also prove the existence of the depth_min_fn. 


Inductive Definition depth_min 

Cl is ; 1 ist ;def :nat ;dfs__lTst : 1 ist] .-1 i st->nat->Prop= 
depth_mi n_hi 1 : (depth__mih lis def dfs__list nil def) 

I depth__min__consa : ( 1 : list)(v : V) (m,n,o:nat) 

(depth__min lis def dfs__list 1 m)->(occurs__in lis v)-> 
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(depth__spec v dfs_list n)-><min m n o)-> 
<depth_min lie def dfs_list (cons v 1> o> 

I depth_mi n_consb ; (1 : listXv : V)<m:nat) 

<depth_min lis def dfs_list 1 m>-> 

< ~ < occurs__i n lis v>>-> 

(depth_min lis def dfs_list (cons v 1) m) . 


2.5.5 Th« S«t p«ir_«cc and its Pro j act ion Functions 

Ule define a Set type pair_acc. a term of type pair_scc has three 
components a nat , a list of vertices and a list of list of ver- 
tices. To project out these components from a pair_scc term, we 
also define three projection functions. 

Inductive Definition pair__scc : Set = 

pair scc__intro : nat-M i st~> 1 1 ->pa i r_scc . 

Definition ps__num. 

Body Cp : pair_scc3(<nat>Match p with 

[a : nat]Cc : list]Cd : ll]a>. 

Definition ps_list. 

Body Cp : pair_scc](<l ist>Match p with 

Ca : nat]Cc : list]Cd s 113c). 

Definition ps_i 1 . 

Body Cp : pair scc3 ( <^1 1 >Match p with 

Ca : nat3Cc : list3Cd : 113d). 

2.5,4 Strongly Connect ad Componants Algorithm 

In a depth first search call for strongly connected components, the 
first argument is a graph (original_graf ) which is always passed 
unchanged to all recurs ive , cal Is . The next foyr arguments are same 
as that for depth first search (dfs__fn> call. They are a graph (G) . 
a start vertex (start),: a list (la) of vertices and a list 
(list__out) of vertices reached so far. The fifth new argument is 
psa of type pair_scc. The first component of psa, (ps_num psa) . is 
the number of vertices reached so far. The second component of psa. 
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The main use of this stack is 
complete strongly connected 
they were reached. The third 
component of psa, (ps_ll>, is the list of strongly connected com- 
ponents collected so far. 


^ps list psa) is a stack of vertices. 

to store vertices, not yet a 
component <scc> , in the order in which 


define dfs_scc__fn <or i gi nal_graf . G. start , la , 1 i st_out , psa) 

returns three values : a term of type pair_dfs 
a term of type pair_scc and ~ 

a term of type nat*) 


C 

let 

let 

let 

let 

let 

let 

let 


for 


G_out = the 
tree_out 
1 i st_out 
num__out 
stack_out 
1 l_out 
mi nnata 
(*the above 
( * i n i t_df s_scc in 
each V in la do 


graph resulting from the removal of start from G 
= nil_graf 

= (cons start irst_out) 

= (S (ps_num psa),) 

= (cons start (ps_list psa)> 

= (ps_ll psa) 

= (ps_num psa) 

initialization steps form the basis of*) 

the definition of dfs see relation*) 


C 


if 


V occurs_in list_out 
then 

C 


else 


(♦then part forms the basis for cons__df s_sccl*> 
mi nnata = depth_jnin_fn (stack_out mi nnata 

list out (cons V nil)) 


} 


C 

let lb = edge list of v in G_out 
let (p.psc.minnatb) 

= dfs_scc__fn (or iginal_graf G_out v lb list__out 
(pair dfs_intro num_out stack_out 
“ ll_out>> 

G_out = (pd__grafa p) 

tr6e_out = graph resulting from the addition of an 
edge from start to v to the union of 
graphs tree^out and (pd__grafb p) 
list^out = (pd^list p> 

let Tc = edg¥_list Of V in origlnal_graf 

minatb = depth_min_fn (stack_put minnatb list_out lc> 

if (minnatb == hum_out> 

then 

I 

(*then part forms the basis for cons_df s_scc2*> 
num_out = (ps__num psc) 

let lis = list obtained by removing vertices in 
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return 


}. 


stack__out from (ps_list psc) 

(*can be seen as popping (ps_list psc) until 
it becomes equal to Btacl<__out#) 

1 l__out = (cons_ll lis (ps_ll psc>> 

' > 
else 

C 

<*else part forms the basis for cons_df s_scc3*> 
num_out = (ps_num psc) 

stack_out = (ps^list psc) 

1 l_out = (ps_l 1 psc) 

minnata = minimum of minnata and minnatb 

> 

> 

( <pai r_dfs_intro G_out tree_out list_Dut) 

<pa i r_scc_i ntro num_out stack_out ll__out) 
mi nnata ) 


2.5.5 The dfs ecc Relation 


Me now give the definition of the relationship <dfs_scc) that 
should hold between the result terms and arguments of the 
dfs_scc_fn given above. Informally <dfs_Bcc or iginal_graf G start 
la list out p psa psb minnat) holds if tp psb minat) - dfs_scc_fn 
(or iginal^graf G start la list__out psa). The relation is based on 
the introduction rules for depth first search relation. For each 
dfs introduction rule we specify the extra logical relations that 
should hold to prove (dfs__8cc or iginal^graf G start la list_out p 
psa psb minnat) . 

Inductive Definition dfs_sccCGin:graf!] 

. graf->V->l i8t->l ist->pair_dfs-> 

pair sec- >pair^iBcc->nat->Prop = , . 

ini t_d7s__8cc : Tgin.gout.Qg : grafXvert : VXQlin : li8t) 

(ps : pair_scc) (rm_V_graf vert gin gput)-> 

<dfs__^8CG Gin gin vert nil Qlin 

(pair dfs intro gout Qg (cons vert Qlin)) ps 
(pair"scc“intro (S(ps_num ps)) (cons vert (ps_list ps)) 

(ps_ll ps)) (ps_num ps)) 

I cons dfs_sccl ; (gin : graf ) (verta.vertb ; v) 

(Q1 in: 1 ist)(l : 1 ist) (minnat, newmin : nat) 

(p:pai r_d:fs) (pi n^poUt : pai;r__scc) 
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<dfs__scc Gin gin verta 1 Qlin p pin pout minnat>-> 
(occurs_in <pd_liBt p> vertb)-> 

<depth_min <ps_Iist pout)' minnat <pd_list p> 

(cons vertb nil) newmin)-> 

(dfs__scc Gin gin verta (t^ons vertb 1) 

Qlin p pin pout newmin) 

I cons_df s_5cc2 : (gin,Qg:graf) (verta, vertb:V> 

(Q 1 i n , 1 a , 1 b , 1 c , 1 i s : 1 i st ) ( pa , pb : pair_dfs) 

(psa,psb,psc ; pa i r__scc) (mi nnata ,mi nnatb , newmi n : nat) 
(dfs_scc Gin gin verta la Qlin pa psa psb minnata)-> 
(~(occurs_in (pd_list pa) vertb))-> 

(edges_f remain vertb (pd_grafa pa) lb)-> 

(dfs_scc Gin (pd__grafa pa) vertb lb (pd_list pa) 
pb psb psc minnatb>-> 

( edges_f rom_i n vertb Gin lc)-> 

(depth_min (ps_list psb) minnatb 
(pd__list pb) Ic newmin)-> • 

(<nat>(ps_num psb)=newmin)-> 

(rnn_l_l (ps^list psb) (ps_list psc) lis)-> 

(dfs_scc Gin gin verta (cons vertb la) Qlin 

(pair_dfs_intro (pd__grafa pb) Qg (pd_list pb)) 
psa (pa i r_scc_i ntro (ps_num psc) 

(pB_list psb) (co'ns_il lis (ps_ll psc))) minnata) 
I cons_df s_scc J : (gin , Qg ; graf )( verta , vertb ; V) 

(Q1 in, la, lb, Ic: 1 ist) (pa.pb : pair_dfs) 

(psa, psb, psc ; pair_scc)(minnata, minnatb, newmin, nm : nat) 
(dfs_scc Gin gin verta la Qlin pa psa psb minnata)~> 
('"<occurs__in (pd__iist pa) vertb))-> 

(edges^f rom_in vertb (pd__grafa pa) lb>-> 

(dfs_scc Gin (pd_grafa pa) vertb lb (pd_list pa) 
pb psb psc minnatb)-> 

( edgea^f rom_i n vertb Gin lc>~> 

(depth3nin (ps^list fJsb) minnatb 
(pdJTist pb)~lc newmin)“> 

(~(<nat>(ps_num psb) =newmi n) ) -> 

(min minnata newmin nm>-> 

(dfs_acc Gin gin verta (cons vertb la) Qlin 

(pai r_dfs_intro (pd__grafa pb) Qg (pd^list pb)) 
psa ps^c nm) . 

2.5.6 Stataroent and Proof of Main Goal 


Me now prove the following lemma. 

Goal (Gin, gin : graf)(x : V)(la ; list) (Qlin : list) s 

(p:pair__dfs) (dfs gin x la Qlin p) ->(psa: pa’i r_scc ) , 

(psbipair scc&Cnm: nat I (df s__scc Gin gin x la Qlin 

~ p psa psb nm)}3. t 


The lermia states that for all p of type pair_dfs whenever (dfs gin 
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X la Qlin p> holds then for all psa of type pair__scc there exists 

psb of type pair see and nm of type nat such that (dfs_scc Gin gin 

X la Qlin p psa psb nm) holds. The main proof step is the elimina- 
tion of (dfs gin x la Qlin p) which reduces the problem to three 
subgoals corresponding to the three depth first search introduction 
rules. 

For defining the relationship between the graf G, vertex x and the 
collection of strongly connected components obtained by a depth 
first search rooted at x we have to hide the irrelevant information 
in <dfs_scc G G x la nil p ( pa i r_scc_i ntro <S 0) nil nil_ll) psb 
nm) such as nm and the fact that edges from x in G is la. Also the 
vertices remaining in the stack (ps_list psb) form the final 
strongly connected component. For this purpose we define the 
dfs_scc_spec relationship. 

Inductive Definition df s_scc__specCg: graf j x : V; 1 la ; 1 1 3 : Prop = 
df s__scc_spec_intro ; <p : pair_dfs><ps : pair_scc) 

<mn ; natXla : 1 i st ) < edges^f rom_i n x g la>-> 

(df8_scc g g X la nil p 

(pa i r_scc_intro (S 0) nil nil_ll) ps mn)-> 

(<ll>lla = (cons__ll <ps_list ps) <ps__ll ps)>>-> 

(df s^scc^spec g x 11a). 

Now our main goal will be to prove 

(G : grafXx : VXlla : 11 I ( df 8_scc_spec G x 11a)}. 

To prove this we first prove the existence of an la such that edges 
from X in G is ia. The main steps of the proof then boils down to 
an induction on la and elimination on the lemma given above. 
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CHAPTER 5 
PROGRAM EXTRACTION 

The constructive proof of a specification has two parts, a logical 
part and a computational part. The logical part is the correctness 
proof necessary for proving that the computational part actually 
meets the specification. An example of this logical part is the 

proof for (x<=y>-><x>y) that comes often in the constructive proof 
for an arithmetical function. 


The program extractor extracts the computational content (program) 
from the constructive proof of a specification. It is based on a 
realizability interpretation that relates the extracted program to 
the original specification. The interest of a realizability 
interpretation is not just to make sure that the extracted program 
is correct but also to give the possibility of interpreting axioms. 
This is as follows. 


Assume that there is program p correct with respect to a specifica- 
tion P and that we develop a proof q of a specification Q under the 
assumption P. The term t extracted from q is not closed and cannot 
be executed. Now if we substitute the occurrences of the assumption 
in the term t by the program p, we get a closed term correct with 
respect to the specification Q. This process of substitution is 
referred to as realization of axioms. 


Thus we may use assumptions which are not provable but for which a 
correct program can be found. We may also use logical assumptions 
in our proof which we need not realize. TP&I 


1 ' ^ 
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In the extraction of the depth first search algorithm and the algo- 
rithm for finding strongly connected components we have to realize 
2 axioms. The set V of vertices is instanciated by the FML int 
type with the command Instanciate V Int. Now the axiom eqV which 
states that equality for vertices is decidable is instanciated by 
Realize eqV Cx,y3 if x=y then left else right. 

Finally the axiom of well founded recursion is realized by 

Realize we 1 l_f ounded_recurs i on 

[x.fKlet rec F = Cy](f y F> in <F x)). 

The resulting programs have a satisfactory computational behavior. 
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CHAPTER A 
CONCLUSION 

We have defined logically the relationship that should hold between 
the input argurttents and the output terrin for depth first search 
algorithm and also for depth first search algorithm for finding 
strongly connected components. This reduces the logical specifica- 
tion of these algorithms to statements of the form for any input 
term there exist an output term such that the (respective) rela- 
tionship holds. We extracted the algorithms that meet these specif- 
ications from their constructive proofs in the Coq programming 
env i ronment . 

The relationship used for the specification of strongly connected 
components is based on depth first search. What remains to be done 
is to prove a high level property of this relationship, which can 
proceed as follows. Define the relationship see of two arguments, a 
graph and a list, which holds true if the vertices of the list 
forms a strongly connected component of the graph. Then the high 
level property of the strongly connected components program 
development reduces to the statement that the vertices of a graph 
(G) can be split into lists such that each list 1 satisfies (see G 
1 ) . 

The difficulty faced in the attempt for a proof of the above pro- 
perty is that proof techniques do not scale up properly. In the 
case of functions where a high level specification can be proved by 
simple induction, the resulting proofs are simple and elegant. How- 
ever, even for trivial algorithms the proof size as well as the 
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subgc)^! si20 can become too overwhelming. Choosing the right indluc~ 
tion hypothesis as well as proving is largely a trial and error 
operation. For example, in some cases it was found easier to prove 
a general statement and then specialize it rather than directly 
prove the specialized statement. Some techniques of proving, e.g, 
writing functions that return propositions for proving inversion of 
definitions and induction without introducing all variables into 
the context are often useful. A collection of heuristic rules to 
help in the proving process can help in reducing the time spent in 
trial and error. 



APPENDIX 
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An Ov«rvi«w of tho Coq Sytttm 

In the Coq system, every correct term has a type, the type itself 
has a type called a sort. There are two sorts of types : Prop and 
Set. An object whose type is a Prop is called a proposition and an 
object whose type is Set is called a specification. 

The main constructions may be briefly described as followsC7]. 

a. names refer to declared variables or declared constants 

b. (M N> denotes the application of functional object M to object 
N. 

c. Cx.-Tj.M abstracts the variable x of type T to form a func- 
tional object. 

c. IndfXrSICl , . . . ,Cn} defines inductively a set or a proposition, 
according to sort S with n constructors of type Cl,..Cn. 

Further cases refer to the constructors of an inductive type, and 
its elimination principles corresponding to an induction principle 
for propositions, and a recursion principle for sets. A high level 
language, called the mathematical vernacular, permits to name these 
conventions conveniently; 

This Appendix is -divided into two main sections. 

Section 1 contains a description of the Tactics Theorem prover. 
Section 2 contains a description of inductive definitions. 



Section J contains an of a proof with Tactics theorem prover. 

1. Tht Tactics Thsorsm Provsr 

The Tactics Theorem Prover is a goal directed inference engine, in 
the spirit of Prolog, but with a proof search mechanism driven by 
the method of tactics pioneered by the LCF systemCll]. The princi- 
ple used is "Truth is Inhabitation", so that to prove proposition 
is to build an element of type this proposition. 

A tactic is a function that takes a goal Q I- C where Q is a con- 
text and C the desired conclusion and returns a list of subgoals 
(Q1 I- Cl , . . . ,Qn I- Cn> and a validation function f such that if 
yl,...,yn are respectively the proofs of Q1 I- Cl,.,.,Qn I- Cn then 
(f yl ... yn> is a proof of Q I- C. 

We shall now briefly illustrate the five basic families of tactics. 

The first class of tactics concern parameter introductions. The 
tactic 'Intro H. ’ whan applied to a goal of the form Q I- A->B, 
returns the subgoal 

QcHiA I- B and impl Icitly a val idation function f which takes a 
proof y of the subgoal and returns (CHliy). The tactic 'Intro H. * 
when applied to a goal of the form 

Q 1“- (x I AXP x) returns the subgoal Q.HsA f- <P H) and implicitly 
a validation function f which takes a proof y of the subgoal and 
returns (CHsAly). In the above two cases the variable name H 
should be such that it is not already the name of some assertion in 


the context Q 
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The second class of tactics is that of resolution tactics, 
the context Q, H is the proof of statement P, then the tactic 
'Apply H' tries to resolve the current goal with the conclusion of 
P . If the matching is successful then Apply generates as many 
subgoals as there are premises in P. The tactic’ 'Apply H* when 
applied to a goal of the form QiH:A->B->C I- C. returns the 
subgoals Q;H:A->B->C I- A and Q;H:A->B->C I- B such that if their 
proofs are yl and y2 respectively then <H yl y2) is a proof of the 
main goal . 


The third class is that of elimination tactics. A brief descrip- 
tion of elimination tactics is given in the section on inductive 
def i n i t i ons . 

The fourth class is that of convertibility tactics. The basic con- 
vertibility tactics are Change and Unfold. An example of Fold tac- 
tic is given in section 5. The tactic 'Change H. ' when applied to 
a goal G, replaces goal G by H, if H is convertible to G by Beta 
rule or elimination rules for inductive terms. 

The fifth class is that of automatic search tactics. The tactic 
Auto tries successively to apply, by order of priority, the axioms 
in Hint list, until finding a complete proof, with a maximal search 
depth of Theorems can be added into the Hint list with the com- 
mand Hint. 

2. Inductive Oifi nit ions 

Inductive definitions allow an internal representation of data 
types, inductive predicates and logical connectives[12] . 


An 



inductively defined type is given by a complete list of construc~ 
tors for that type. We reason about the type with an appropriate 
induction principle, we write programs over the type using itera- 

I 

tion and develop programs using the recursion principle. Induction 
principles as well as recursion principles are not provable in CoC. 
In Coq, these principles are automatically generated from the 
definitions and introduced into the context. The system also real- 
izes automatically the recursion principle with primitive recusive 
operators. An illustration of the various applications of inductive 
definitions are illustrated below with natural numbers. 

The inductive Set of unary natural numbers can be defined by 
Inductive Set nat = 0 : nat I S : nat->nat. 

This defines together with the inductive Set, bound to name nat, its 
two constructors. bound to names 0 and S, an induction principle 
<nat__ind> of type the proposition: 

(P!nat->Prop><P 0>->< (xmat) (P x>->(P <S x> ) > -Xn: nat ) (P n>. 
and a recursion rule <nat_rec), of type the specification: 
(P:nat->SetXP 0)-><<x:nat)<P x>->(P <S x> > >-><n :nat) <P n). 

The type of nat__ind sjtates 4f CP 0> is true and if <P <S x>> is 
true whenever (P xl is true then P : nat->Prop is true for all n. 
Similarly nat_rec states that if (P 0) can be computed and if (P <S 
x)) can be computed whenever (P x) can be computed the <P x> can be 
computed for all x of type nat. 

As an example inductive definition of functions, the definition of 
a function, for the addition of two natural numbers is given below. 
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Definition plus : nat->nat->nat= 

[n ,m: nat ] ( <nat>Match n with 
(#0#) m 

(#S p*) Cp:nat3Cresult:nat3(S result)) 

It can be seen from this example that Match corresponds to higher 
type primitive recursion. An example for the definition of an 
inductive predicate is given below. 

Inductive Definition le : nat->nat->Prop = 
le_0 : (n : nat)(le On) 

I le_S ; (n.m : nat)->(le n m)->(le (S n) (S m)). 

The inductive definition of le introduces into the context two con- 
structors ie_0 and 1 e_S . The constructor le_0 takes as input a 
number n and returns a term of type (le 0 n). The constructor le_S 
takes as input numbers n.m and a term of type (le n m) and returns 
a term of type (le (S n) (S m)). It also introduces into the con- 
text an induction principle le_ind, based on the fact that le is 
the smallest relation closed with respect to the two constructors. 
The type of le^ind is 

(R!hat->nat->Prop) 

( (n;nat) (R 0 n) )-> 

((n.mmatXle n m)-><R n m)->(R (S n) (S m)))-> 

<n,m:nat)(le n m)->(R n m) 

An example application of the induction principle is given below. 
Suppose we have to prove 

(n.mmatXle n ro)-><Q n m) for Qmat->nat->Prop. Then we introduce 
the parameters into the context to get a goal of the form 

<Q n m) 

H : ( 1 e n m.) 
m : nat 
n : nat 
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Now we use the induction principle for le. Instead of directly 
using le_ind in the proof we use the tactic 

Elim H. The application of this tactic result in a second order 
matching of the conclusion (R n m) of the induction principle with 
the goal (Q n m). If this matching is successful then it will 
result in subgoals corresponding to the premises of le_ind. In the 
present example, the subgoals will be 
(n:nat)(Q 0 n) and 

< (n : nat > (m: nat ) ( 1 e n m>->(Q n m)->(Q (S n> <S m) ) . 

If we have proved the basic properties of the le predicate, then we 
can put them into effective use in proving these two subgoals. Thus 
to prove a goal G in context Q, it may be easier to prove that <le 
n m) holds in Q, and then eliminate (le n m> to get less complex 
subgoals. This example clearly illustrates the importance of induc- 
tive definitions. Inductive definitions in Coq help us to introduce 
and realise automatically consistent recursion (induction) princi- 
ples. This often leads to elegant proofs, since we can split a goal 
into less complex goals easily. 

5. A Proof with Tactict Thtorero Prover 

This section contains a version in Coq of the constructive proof 
given by BackhoiiseC^] for the statement that principle of excluded 
middle, though not provable, is not false in constructive logic. 



Goal (A : Prop)~~(A \/ “A). 




<We use the tactic Unfold replace ~ by its definition. The * in 
'Unfold * not* indicated that all occurrences of ♦ in goal should 
be replace by its definition.) 


Coq < Unfold * not. 

1 subgoal 

(A: Prop) ( <A\/A->False)->False)->False 


<We now introduce all the parameters into the context.) 


Coq < Intros. 

I subgoal 
Fa 1 s e 

H ; (A\/A->False)->False 
A : Prop 


(We apply the assumption H to prove the goal. Since H states that 
if (A\/A)->False is true then False is true. Our new goal will be 
to prove A\/<A->False) is true.) 


Coq < Apply H. 

I subgoal 
A\/A->Fal8e 

S6SElSES5CS*SSRSlS0SSSSiSSSSSSl!5®®JC22S3»Sll5SS5SS 

H s <A\/A->False)->Fal8e 
A t Prop 

(Now we have to prove either A is true of A->False is true. We use 
the tactic Right to indicate that we want to prove A->False is 
true.) 


Coq < Right. 

1 subgoal 
A->False 

H : (A\/A->Fal8e)->False 
A ! Prop 



Coq < Intro. 

1 subgoal 
False 

HO ; A 

H : <A\/A->False)->False 
A : Prop 


<We again apply H> 


Coq < Apply H. 
1 subgoal 

A\/A->False 


HO : A 

H : (A\/A->False>->False 
A ; Prop 


(This time we indicate with tactic Left that we want to 
A is True. Since we already have the proof HO of A 
Assumption tactic to indicate this) 


prove that 
we use the 


Coq < Left jAssumption. 
Goal proved! 



APPENDIX 2 

Som* Graph Problamt in Coq 

Proflram Davtloprn«nt Through Proof Transformation 
(##**##*##*******###*#***###****<<.*#**#*##*##**###****♦♦***###) 
Parameter V : Set. 

Axiom eqV ; <x,y : V> C<V>x = y } + f ~<V>x=y 3 . 

Inductive Set list = nil : list I cons : V -> list -> list. 

Local abs_prop = 

C 1 : 1 i st] < <Prop>Match 1 with 
(* nil #) True 

<* cons am*) Ca;'^][m: 1 ist3CP:Prop3False) . 

Goal <a: VXm: 1 i st)~<l ist>ni l = (cons a m) . 

Unfold not i Intros a m h. 

Change <abs_^prop (cons am)). 

Elim h ! Simpl s Auto. 

Save nil_cons. 

Goal <1 ; list){<list>nil=l}+C~<list>nil=l). 

Induction 1 . 

Lef t ;Auto. 

IntrossRightjApply nil_cons. 

Save n i l^or^not^n i 1 . 

Global app. 

Body C 1 ,m: 1 i8t3 ( <1 i8t>Match I with 

(* ni 1 *) m 

(# cons a m *) Ca!V 3 Cm! 1 i st3 (cons a)) 

! 1 ist->l ist->l i st. 

(*1 ist membership funp|:ion*) 

Definition occurs_in. 

Body Cl : listICx : V3(<|?rpp>Match 1 with 

" JtM' 1 S 6 

Ca j VHm : listICP .* Prop3 
<<V>x=a) \/ P) . 

Goal '.<x'.^ : y)*^< 0 'dcMrs^in,',hi 1, 

Intro rSimpljUnl^plidr not to • 

Save ' not__^(jGcurf__i hj^^n i l.v 

Goal <x !V)<v .:V>(y ? 

(occurs^^ln (cons v y) x) *’Xoccurs_in y x) . 

Simpl ; Intros . 

Elim, HO. . 

IntrojElim HjAssumpitton^, 



Intro ; Assumpt i on . 

Save occurs__i n_prop . 

Goal (X : V><1 s 1 ist>C(occurs_in 1 x) } + f~<occurs in 1 x>> 
Intros ; El im I . — 

Right; Apply not_occurs_i n_n i 1 ; Assumpt ion. 

Intros;Elim <eqV x v). ” 

Intro;l_eft{Si mpl ; Left ; Auto . 

IntrojElim H;Intros, 

Left;Simpl ;Right;Auto. 

Right lUnfold not ; I ntro ; El im bO; 

Apply occurs__i n__prop with v;Auto. 

Save occurs_in_or_not . 

Goal (x ; V> ( la, lb; 1 ist) ( <occurs_in la x>\/<occurs_in lb x>)-> 
<occurs_in (app la lb> x). 

Intros . 

Elim HjElim lajSimpl ;Auto. 

Intro Q ; El im Q . 

Intros . 

Elim HI ; Auto . 

Save occurs__in__app__propa. 

Goal <x:V> < la, lb: 1 ist) (occurs__in (app la lb) x)-> 

<(occur8__in la x)\/(occurs_in lb x)>. 

Intros until IbjElim la ; Simpl ; Intros ; Auto . 

El im HO ; Auto. 

IntrosjCut <<occurs_in y x)\/<occurs__in lb x>);Intros. 

Elim H2 ; Intros ? Auto . 

Auto. 

Save occurs_in_app^propb, 

<#r«mov# vert ice from Het*) 

Inductive Definition rm^V^^l isttx j V] : 1 ist->l ist->Prop = 
ni l^rm__V^I i st i (rm^V^list x nil nil) 

I cons rm_V list! i (y ; VXl ; list)(m .• list) 

(rm_V_l i8t X 1 m)-><"'(<V>x=y> )-> 
(rmTv^liBt X (cons y 1) (cons y m)) 

I cona^rm^V^l i stZ s (I ; listXm : list) 

~ <*'f’L,V_Ust X 1 m)-> 

<rm~V~li8t X (cons x 1) m) . 

Goal (x ! VXl I list)Ilx t list I (|'m__V__list x 1 lx)}. 

Intros t'EI im 1 . ‘ _ , 

Apply exiat with niljApply hi l_rm_V_l ist, 

IntrostElim (eqV x v> ; IntrosEl im H;Intros. 

Apply exist with xO s Elim a. 

App 1 y cons__rm^V_l i stZ * Assumpt ton . 

Apply exisT wTth (cons v xO). ' 

Apply con8_,rm__V_^l istl ? Auto* 

Save rm^V^Ti 8t_Jfn . 

(♦property <a> a vertice does not occur in a list 

from which it is removed 



property (b) vertices other than the removed vertice 
remain in the list*) 

Goal <l,lx : list)(x : V) ( rm__V_l i st x 1 lx)-> 

(~<occurs_in lx x>). 

Intros . 

El im H. 

Apply not_occurs_i n_n i 1 ; Auto . 

Unfold * not; Intros. 

Elim Hl;Apply occurs_i n_prop vsiith y;Auto. 

Auto . 

Save rm_V_l i st_propa . 

Goal (x . y : V> ( 1 , lx: 1 ist ) (rm_V_l i st x 1 lx>-> 

< ~<V>x=y > -><occurs_i n 1 y ) ->(occurs_in lx y>. 

Intros until 1 x ; Intro ; Intro . 

Elim H ; Simpl ; Intros ; Auto . 

Elim H4 ; Auto . 

Elim H5 ;Auto; Intro;El im H0;Auto. 

Save rm_V_l i st_propb . 

Inductive Definition graf : Set = 
nil_graf : graf 

I cons_graf : V-> 1 i st->graf ->graf . 

<*edges from a vertice in a graf*) 

Inductive Definition edges_f rom_i nCvl : V] : graf-> 1 i st->Prop = 
edges_f rom_n i 1 : < edges__f rom_i n vl nil_graf nil) 

I edges_f rom_in_l ; (v2 : VXll : grafXtl : listXt2 : list) 

< edges_f rom_i n vl 11 tl)-><<V>vl = v2) -> 

< edges_f rom_i n vl (cons_graf v2 t2 11) t2> 

I edges__f rom_in_2 : <v2 : VXll ; grafXtl : listXt2 : list) 

<edges_from__in vl 11 tl)-><~<V>vl = v2) -> 

( edges_f rom_i n vl <cons_graf v2 t2 11) tl>. 

Goal <v : V)(n : graf) 

Cm : list I (edges_from_in v n m) 1 . 

Intros . 

E 1 im n . 

Apply exist with nil; Apply edges_f rom_ni 1 . 

Intros. 

Elim <eqV v v0> ; Intros ;E1 im H;Intros. 

Apply exist with l;Apply edges__f rom_i n_l with x ;Auto. 

Afiply exist with x;Apply edges_f rom_in_2 ; Auto . 

Save edges_f rom_in_fn . 

Definition locals. 

Body CG: graf JC 1 ,m: 1 i st] ( <Prop>Match G with 

(<1 ist>l=m) 

[a: V]Cb: 1 i st ] [c; graf] Cd: Prop] 

T rue ) . 


Definition localb. 

Body Cx:V]CG:graf ]£ I : I ist]<<Prop>Match G with 



True 

Ca:V3Cb; 1 ist3Cc:graf3[d;Prop] 
(<<V>x=a)-><<l ist>b=l>>> . 


Definition locale. 

Body [x : V3 CG; graf 3 Cm: 1 i st 3 < <Prop>Match G with 

T rue 

Ca:V3Cb:list3Cc: graf 3 Cd: Prop3 
< <''<V>x=a> -><edges_f rom_in x c m> ) > . 

(*edge_list of a vertice in a graf is unique*) 

Goal (G : graf><x : V>(l,m : list) 

( edges_f rom_i n x G 1 ) -X edges_f rom_i n x G m)->< < 1 i st> 1 =m) . 
Induction G. 

Intros {Change (locala nil_graf 1 m) . 

E 1 im H . 

Elim HO ; S impl ; Auto . 

S impl ; Auto . 

S impl ; Auto . 

Intros until m;Elim (eqV x v);Intro. 

Elim a ; I ntros ; 

Cut <GG:graf ) (vert:V)(la, lb: 1 ist) 

(edges_from_in vert (cons_graf vert la GG) lb)-> 

<<1 ist>la=lb) ; Intros. 

ElimType <list>l=m. 

ElimType < 1 i st> 1 = 1 0 ; Auto . 

Apply H2 with y x;Auto. 

Apply H2 with y x;Auto. 

Cut <<V>vert=vert) {Auto. 

Change (localb vert <cons_graf vert la GG) lb). 

Elim H2 { Simpl { Auto . 

I ntros . 

El im H5{Auto. 

Cut < la: 1 ist) (edges_from_in x <cons_graf v 1 y> la)“> 
<edges__from_in x y la) {Intros. 

Cut (edges_f rom_in x y m) . 

Cut (edges_from__in x y 10) {Intros. 

Apply H with x;Auto. 

Apply H0{Auto. 

Apply H0{Auto. 

Cut <~<V>x=v> ; Auto . 

Change (locale x (cons_graf v 1 y) la) {Elim H0{ 

Simp! {Auto. 

Intros . 

Elim H4;Auto. 

Save edges__f rom__in_prop. 

Inductive Definition edgeCG:graf ;x,y :V3 : Prop = 
edge_intro : <1 : 1 ist ) <edges__from_in x G l)-> 

(occurs_in 1 y)-><edge G x y). 

Goal <x.y:V)~(edge nil_graf x y). 

Unfold * not{Intros. 

Elim H. 
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Intro; Intro ;E1 imType <1 ist>ni 1 = 1 . 

Apply not_occurs_i n_n i 1 ; Auto . 

Cut ( edges_f rom__i n x nil_graf nil); Intros. 

Apply edges_f rom_i n_prop with nil_graf x;Auto. 

Apply edges_f ronn_n i 1 . 

Save edge_propa. 

Goal <G: graf > ( X . y : V> ( 1 : 1 i st > < edge G x y>-> 

< edges_f rom_i n x G 1 > -X occurs_i n 1 y). 

Intros;Elim H;Intros. 

El imType(<l ist>10=l) :Auto. 

Apply edges_f rom_i n_prop with G x;Auto. 

Save edge_propb. 

Definition local . 

Body Cx : V3 CG: graf 3 [m: 1 i st 3 < <Prop>Match G with 

T rue 

Ca : V3 Cb : 1 i st 3 Cc : graf 3 Cd : Prop3 
( (~<\/>x=a> ->< edges_f rom_i n x c m) > > . 

Goal (G : graf > < X , y , z : V) ( 1 : 1 i st ) 

(edge <cons_graf x 1 G ) y z ) -X ~<V>x=y ) -X edge G y z> . 
Intros;Elim H;Intros. 

Cut ( edges_f rom_i n y G 10); Intros. 

Apply edge_intro with 10;Auto. 

Cut (~<V>y=x). 

Change (locale y (cons_graf x 1 G) 10);Elim HI ; S impl ; Auto . 
Intros. 

El im H6 ; Auto . 

Unfold not ; Intro;El im H0;Auto. 

Save edge_propc. 

Goal (G: graf ) ( X , y , z ! V) ( 1 : 1 i st ) 

(edge G y z)-X'“<V>x=y)-Xedge (cons_graf x 1 G ) y z) . 
Intros . 

El im H; Intros . 

Cut ( edges_f rom_i n y (cons_graf x 1 G) 10); Intros. 

Apply edge__intro with 10;Auto. 

Apply edges_f rom__in_2 ; Auto . 

Unfold not; Intro;El im H0;Auto. 

Save edge_propd. 

Goal (G : graf)(x,y : V)C(edge G x y)}+C~(edge 0 x y)}. 
Intros;Elim (edges_f rom_in_fn x G); Intros. 

Elim (occurs_i in_or__not y xO); Intros. 

Left;Apply edge_intro with xO;Auto. 

Right; Unfold not;Intros. 

Elim b. 

Apply edge_propb with G x;Auto. 

Save edge_prope . 

(♦add a new edge to a graf*) 

Inductive Definition cons_edge_graf CG;graf ;x,y: V3 s graf->Prop = 
cons^edge_^graf_intro : (1 : 1 ist) (edges_from_in x G l)-> 
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< cons_edge_graf G x y <cons_graf x (cons y 1) G)>. 

Goal <G : graf){x : V>(y ; V) 

CGxy : graf I < cons_edge_graf G x y Gxy)}. 

Intros;Elim < edges_f rom_i n_f n x G); Intros. 

Apply exist with (cons_graf x (cons y xO) G) . 

Apply cons_edge_graf_i ntro ; Auto . 

Save cons_edge_graf_f n . 

Goal (G, Gxy : graf >( X , y : V) ( cons_edge_graf Gxy Gxy>-> 

( edge Gxy x y > . 

Intros . 

El im H. 

I ntros ; 

Cut ( edges_f rom_i n x (cons_graf x (cons y 1) G> (cons y 1>>; 

Intros . 

Cut (occurs_in (cons y 1) y>; Intros. 

Apply edge_intro with (cons y l>;Auto. 

S impl j Auto . 

Apply edges_f rom_in_l with l;Auto. 

Save cons_edge_graf_propa . 

Goal (x , y ; V) (G , Gxy : graf > (cons_edge_graf Gxy Gxy>-> 

( (p , q ; V> ( edge G p q)->(edge Gxy p q>). 

Intros . 

El im H; I ntros . 

El im HO ; Intros . 

Elim (eqV p x); Intros. 

El im a ; Intros . 

Cut (edges_f rom_in p (cons_graf p (cons y 1 > G) (cons y 1)); Intros. 
Cut (occurs__in (cons y 1) q); Intros. 

Apply edge_intro with (cons y l>;Auto. . 

S impl {Right. 

ElimType (<1 ist>10=l ) ; Auto. 

Apply edges_f rom_i n_prop with G x;Auto. 

Elim a ; Auto . 

Apply edges_from_in_l with 10; Auto. 

Apply edge_propd;Auto. 

Unfold not ; Intros ; El im b;Auto. 

Save cons_edge_graf_propb. 

(♦add a graf to a graf^> 

Inductive Definition union__graf CG:graf 3 : graf->graf->Prop = 
ni l__union__graf : (union__graf G nil_graf G) 

I cons_union_graf ; (x : VXla ; listXlb s list) 

(Gb ; grafXGc : graf) 

(union_graf G Gb Gc)->(edges_f rom_in x G ia)-> 

(union_graf G (cons__graf x lb Gb) 

(cons_graf x (app la lb) Gc)). 

Goal (Ga,Gb ; graf)CGc : graf J (union_graf Ga Gb Gc)}. 

Induction Gb; Intros. 

Apply exist with Ga;Apply ni l_union_graf . 

Elim H;Intros. 



Elim ( eri 9 fc!y_f rom_i n_f n v Ga); Intros. 

Apply exist with (cons_graf v <app xO 1> x>. 

App 1 y cons_un i on_graf ; Assumpt i on . 

Save un i on_graf_fn . 

Goal (Ga.Gb.Gab ; graf > ( un i on_graf Ga Gb Gab)-> 

< <x,y:V> ( (edge Ga x y)\/<edge Gb x y)>-> 

< edge Gab x y > > . 

Intros until Gab ; Intro ; El im H. 

Intros;Elim H0;Auto. 

Intro;Cut “(edge nil_graf x y); Intros. 

Elim H2 ; Auto . 

Apply edge_propa. 

Intros unt i 1 y . 

Elim (eqV x xO);Intro. 

Elim a ; Intros . 

Cut (occurs_in (app la lb) y) . 

Cut ( edges_f rom_i n x (cons_graf x (app la lb) Gc)(app la ib)>. 
Intros;Apply edge_intro with (app la lb);Auto. 

Elim ( edges_f rom_i n_f n x Gc); Intros. 

Apply edges_f rom_i n_l with xl ;Auto. 

Elim H5 ; Intros . 

Cut (occurs_in la y>jIntros. 

Apply occurs_i n_app_propa ; Auto . 

Apply edge_propb with Ga x;Auto. 

Cut (occurs_in lb y>; Intros. 

Apply occurs_i n_app_propa ; Auto . 

Cut ( edges_f rom_i n x (cons__graf x lb GbO) lb>; Intros. 

Apply edge_propb with (cons_graf x lb GbO> x;Auto. 

Elim ( edges_f rom_i n_fn x GbO); Intros. 

Apply edges_f rom_in_l with xl;Auto. 

Intros;Cut ((edge Ga xO y)\/(edge GbO xO y>); Intros. 

Elim (HI xO y H4); Intros. 

Cut (edges_f rom_in xO (cons_graf x (app la lb) Gc) 1); Intros. 
Apply edge_intro with l;Auto. 

Apply edges_from_in_2 ; Auto . 

Unfold not ; Intro;El im bjAuto. 

Elim H5 ; Auto. 

Intro;Right {Apply edge_propc with x lb;Auto. 

Save un i on_graf_propa . 


Goal (Ga.Gb.Gab •. graf ) (uni on_graf Ga Gb Gab)-> 

(x.yrVXedge Gab x y)->((edge Ga x y)\/(edge Gb x y)). 
Intros until Gab; Intro;El im H;Auto. 

Intros until y;Elim (eqV xO x);Intro. 

Elim a; Intros . 

Cut <edges_f rom_in xO (cons__graf xO (app la lb) Gc) (app la 
Intros. 

Cut ({occurs__in la y) \/ (occurs_in lb y>); Intros. 

Elim ; Intros . 

Left;Apply edge_intro with Ia;Auto. 

ElimType (<V>x=xO) ;Auto. 

RightjApply edge_intro with lb;Auto. 

Elim (edges from__in__fn xO GbO); Intros. 


lb)) 



Apply edges_f rom_i n_l with xl;Auto. 

Apply occurs_i n_app_propb . 

Apply edge_propb with <cons_graf xO (app la lb> Gc > xO;Auto. 
Elim < edges_f rom_i n_f n xO Gc); Intros. 

Apply edges_f rom_i n_l with xl;Auto. 

Intro;Cut (edge Gc xO y);Intros. 

Cut ((edge Ga xO y> \/ (edge GbO xO y )>; Auto ; Intros . 

El im ; Auto . 

Intros ;Ri ght ; Apply edge_propd ; Auto . 

Unfold not ; Intro ; E 1 im b;Auto. 

Apply edge_propc with x (app la lb);Auto. 

Unfold not ; Intros ;E1 im b;Auto. 

Save un i on_graf_propb . 

(■"■remove vertice from a graf^") 

Inductive Definition rm_V_graf Cx iV] : graf->graf->Prop = 
n i l_rm_V__graf : (rm_V_graf x nil_graf nil_graf> 

I cons_rm_V_graf 1 : (Ga : grafXGb : graf) 

(1 : 1 i st ) ( rm_V_graf x Ga Gb)-> 

(rm_V_graf x (cons_graf x 1 Ga) Gb) 

1 cons_rm_V_graf 2 : (y : V)(Ga : graf)(Gb : graf) 

(la ; list)(lb : 1 i st ) ( rm_V_l i st x la lb) -X ~( <V>x=y ) ) -> 

( rm_V_graf x Ga Gb)-> 

(rm__V_graf x (cons_graf y la Ga) (cons_graf y lb Gb) ) . 

Goal (x : V)(G : graf)( Gx ; graf I (rm_V_graf x G Gx)}. 
Induction G; Intros. 

Apply exist with ni l_graf ; Apply n i l_rm_V_graf . 

El im H ; Intros . 

Elim (eqV x v);Intro. 

Elim a;Apply exist with xO;Appiy cons_rm_V_graf 1 ; Auto . 

Elim ( rm_V_l i st__f n x 1); Intros. 

Apply exist with <cons_graf v xl xO);App4y cons_rm_V_graf 2 ; 
Auto . 

Save rm_V_graf_f n . 

(■"■If a vertice is removed from a graf, 

there is no edge from or to that vertice^*) 

Goal (x , y : V> (G.Gx : graf > (rm_V_graf x G Gx)-> 

((~(edge Gx x y)>/\(~(edge Gx y x)>). 

Intros X y G Gx Q;Elim Q. 

Split;Apply edge_propa; Auto . 

Auto. 

Unfold * not; Intros. 

Elim H2 ; Intros ;Spl i t . 

Intro;Elim H?;Apply edge_propc with yO lb;Auto- 
Unfold not ; Intro ; El im HO ; Auto . 

Elim (eqV y yO);Intro. 

Elim a; Intro. 

Cut (edges_from__in y (cons_graf y lb Gb) lb) .-Intros. 

Cut (occurs_in lb x). 

Change ~(occurs_in lb x);Apply rm_V_l i st_propa with la;Auto. 
Apply edge^propb with (cons_graf y lb Gb) y;Auto. 
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Elim (edges_f rom_in_fn y Gb); Intros. 

Apply edges_f rom_in_l with xOjAuto. 

IntrojCut (edge Gb y x);Auto. 

Apply edge_propc with yO lb;Auto. 

Unfold not ; IntrojEl im b;Auto. 

Save rnr)__V_graf_prop. 

Inductive Definition pair_dfs : Set = 

pair_dfs_intro : (ga.gb : grafXl : 1 i st )pa i r_df s . 

Definition pd_grafa. 

Body Cd : pa i r_df s] < <graf >Match d with 

Cga : grafKgb : graf][l : listjga). 

Definition pd_grafb. 

Body Cd : pa i r_df s] ( <graf >Match d with 

Cga : graflCgb : graf3CI : listjgb). 

Definition pd_list. 

Body Cd : pa i r_df s3 ( < 1 i st>Match d with 

Cga : graflCgb : graflCl : list31). 

<*depth first search*) 

Inductive Definition dfs; graf->V-> 1 i st-> 1 i st-> 

pa i r_df s->Set = 

init_dfs : (gin. gout ; graf)(vert : V)(Qlin : list) 

( rm_V_^graf vert gin gout)-> 

(dfs gin vert nil Qlin 

(pa i r_df s_i ntro gout nil_graf (cons vert Qlin))) 

I cons__dfsa ; (gin : graf ) (verta . vertb : V)(Qlin : list) 

(1: list)(p : pa i r_df B ) (df s gin verta 1 Qlin p)-> 

(occurs_in (pd__list p) vertb)-> 

(dfs gin verta (cons vertb 1) Qlin p) 

I cons__dfsb : (gin.Qgab.Qgc : graf > (verta, vertb : V)(Qlin : list) 
(la, lb : list)(pa,pb ; pair_dfs) (dfs gin verta la Qlin pa)-> 
(~(occurs__in (pd_list pa) vertb))-> 

(edges__fro^m_in vertb (pd_grafa pa) lb)-> 

(dfs (pd_grafa pa) vertb lb (pd_list pa) pb)-> 

(union_graf (pd_grafb pa) (pd_grafb pb) Qgab)-> 

( cons_jBdge_graf“*Qgab verta vertb Qgc)-> 

(dfs gin verta (cons vertb la) Qlin 

(pair__dfs_^intro (pd__grafa pb) Qgc (pd_list pb))). 

(* removal of minimum one vert ice with nonnil 
edge list gives a proper subgraf *) 

Inductive Definition subgrafCG : graf] :graf->Prop = 
subgraf__introa : (Gs : grafXx ; VXl : list) 

(edges from_in x G 1 )->(~<l ist>ni 1 = 1 )-3^ 

(rm_V_graf x G Gs )->( subgraf G Gs) 

I subgraf introb : (Gs.Gss : grafXx : V) 

(subgraf G Gs)->(rm_V__graf x Gs Gss>-> 

(subgraf G Gss) . 

Goal (ga.gb.gc .* graf ) (subgraf ga gb)->( subgraf gb gc)-> 

(subgraf ga gc). 

IntrosjElim HOj Intros. 
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Apply subgraf_i ntrob with gb x;Auto. 

Apply subgraf_i ntrob with Gs x;Auto. 

Save subgraf_prop . 

Variable well_founded : ( A : Set > ( A->A->Prop> ->Prop . 

Axiom graf_wf : <A : Set > ( f : A->graf > 

(we 1 l_f ounded A Cal , a2 : A] ( subgraf <f a2><f al ) ) ) . 

Axiom wel l_founded_recursion : ( A : Set > <R : A->A->Prop> 

(we 1 l_f ounded A R) -X P : A->Set > 

(a:A> ( (b:A) ( (c;A) (R c b>->(P c>)->(P b>> -XP a). 

Definition id_graf. 

Body Ca : graf3a : graf->graf. 

Inductive Definition ex i st_spCA: Set ; P : A->Set ; Q : A->Prop3 : Set= 
exist_sp_intro : (x : AXP x)-XQ x)-Xexist_sp A P Q>. 

Goal (gin : graf>(x : V)(l : list)(Qlin : list) 

( edges_f rom_i n x gin 1 > -X~< 1 i st>n i 1 = 1 > -> 

(extst__sp pair_dfs 
Cp:pai r_dfs] (df s gin x 1 Qlin p) 

Cp : pa i r_df s3 ( subgraf gin (pd_grafa p>)). 

Intro ginjPattern gin; 

Apply (we 1 l_f ounded_recurs i on graf Cx , y : graf] ( subgraf y x>>. 
Cut ( we 1 l_f ounded graf 

Cal,a2 : graf 3 (subgraf (id_graf a2> (id_graf 

al ) ) ) . 

Unfold * i d_graf ; Intro ; Exact H. 

Apply graf_wf. 

Intros;Elim l;Intros. 

El im(rm_V_graf__fn x b>; Intros. 

Apply ex i st_sp_i ntro with 

(pa i r_df s__i ntro xO nil_graf (cons x Q1 i n ) ) ; Simpl . 

Apply i n i t_df s ; Auto . 

Apply subgraf_i ntroa with x l;Auto. 

Elim H2;Intros. • 

Elim (occurs_i n_or_not v (pd_list x0)>; Intro. 

Apply ex i st_sp_i ntro with xO;Auto. 

Apply cons__df sa ; Auto . 

Elim (edges_f rom_in_fn v (pd_grafa x0>>; Intros. 

Elim (n i l_or_not_n i 1 xl); Intros. 

Elim ( rm_V_graf_f n v (pd__grafa x0>>; Intros. 

Cut (subgraf b x2); Intros. 

Cut (dfs (pd_grafa x0> v xl (pd_list x0> 

(pai r_df s_intro x2 nil_graf (cons v (pd_list x0)>>>; 
Intros. 

Elim (union_graf_fn (pd_grafb x0> 

(pd_grafb (pai r_dfs_i ntro x2 nil_graf 

(cons v (pd_list xO >>>>>; Intros . 

Elim (cons_edge_graf_fn x? x v); Intros. 

Apply ex i st_sp_i ntro with 
(pair dfs_intro 
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<pd_grafa <pa i r_df s_i ntro x2 nil_graf (cons v (pd_list x0)>>> 
x4 

<pd_Iist (pa i r_df s_i ntro x2 nil_graf (cons v (pd_list x0>)>>>. 
Apply cons_dfsb with x5 xl xO;Auto. 

S impl ; Auto . 

Eiim a;Apply i n i t_df s ; Auto . 

Apply subgraf_i ntrob with (pd_grafa x0> v;Auto. 

Eiim (H (pd_grafa xO) q v xl (pd_list xO) pO bl);Intros. 

Cut (subgraf b (pd_grafa x2)). 

Eiim ( un i on_graf_f n (pd_grafb x0> (pd_grafb x2>>; Intros. 

Eiim ( cons_edge_graf_f n x5 x v>; Intros. 

Apply ex i st_sp_i ntro with 

(pa i r_df s_i ntro (pd_grafa x2) x4 (pd_list x2 >); S impl ; Auto . 

Apply cons_dfsb with x3 xl xOjAuto. 

Apply subgraf_prop with (pd_grafa xO);Auto. 

Save dfs_prop. 

Inductive Definition df s_specCG: graf ; x : V ; p : pa i r_df s3 : Prop = 
df s_spec_i ntro : (1 : 1 i st > ( edges_f rom_i n x G l>-> 

(dfs G X 1 nil p>-> 

(dfs_spec G X p) . 

Goal (G : graf)(x : V> 

fp : pair_dfs i (dfs_spec G x p>>. 

IntrosjElim ( edges_f rom_i n_f n x G); Intro. 

Eiim (n i i_or_not_n i 1 xO); Intro. 

Eiim a ; Intros . 

Eiim ( rm_V_graf_f n x G>; Intros. 

Apply exist with (pai r_dfs_intro xl nil_graf (cons x nil)). 
Apply df s_spec_i ntro with niljAuto. 

Apply i n i t_df s ; Auto . 

Intro H;Elim (dfs_prop G x xO nil H b ); Intros. 

Apply exist with xl ; 

Apply df s_spec_i ntro with xO;Auto. 

Save dfs_prog. 

Inductive Definition min[x,y.: nat] : nat-> Prop = 
min_le : (le x y)->(min x y x) 

I min_gt :(gtxy)->(minxyy). 

Goal (x . y : nat ) Cz : nat i (min x y z)>. 

Intros; Eiim (le_or_gt x y); Intro. 

Apply exist with x;Apply min_le;Auto. 

Apply exist with y;Apply min_gt;Auto. 

Save min_fn. 

Goal (n.m : . nat ) C<nat>n=m3+C~<nat>n=m> . 

Induction n. 

Induction m. 

Left;Auto. 

Intros ; El im H . 

Intros;Right. 

Eiim a; Auto. 

Intros ; Auto . 



I ntros ; E 1 im m. 

ElimType C<nat>0=(S y ) }+C~<nat>0=(S y>};Auto. 

I ntros ; R i ght ; Unf o 1 d not;Intros. 

Elim b;Elim H0;Auto. 

IntrosjElifn <H yO ); Intro ; Auto . 

Right;Unfold not ; Intros ; El im b;Auto. 

Save eqnat. 

Inductive Definition 11 : Set = 
nil_li : 11 

I cons_l 1 : list -> 11 -> 11. 

Inductive Definition rm_l_l C 1 : 1 i st 3 : 1 i st-> 1 i st->Prop = 
rm_l_l_nil : (rm_l_l 1 nil nil) 

I rm_l_l_consa : (la, lb : list)(v : V>(rm_l_l 1 la lb)-> 
(occurs_in 1 v>->(rm_l_l 1 (cons v la) lb) 

I rm_l_l_consb : (la, lb : list)(v : V)(rm_l_l 1 la lb)-> 

(~(occurs_in 1 v))->(rm_l_l 1 (cons v la) (cons v lb)). 

(♦Ic is the list of vertices in lb that are not in la*) 

Goal (la, lb t list)Clc : list I (rm_l_l la lb lc)>. 
Intros;Elim lb;Intros. 

Apply exist with niljApply rm_i_l_n i 1 ; Auto . 

Elim H;Intro;Eiim (occurs_i n_or_not v la); Intros. 

Apply exist with x;Apply rm_l_l_consa ; Auto . 

Apply exist with (cons v x);Apply rm_l_l_consb ; Auto . 

Save rm_l_l_fn. 

(*for each vertice defines the position at which 
it occurs in a list*) 

Inductive Definition depthCx: V3 ; 1 ist->nat->nat->Prop = 
depth_nil : (depth x nil 00) 

1 depth__consa : (1 ; list)(m,n ; nat)(depth x 1 m n)-> 
(depth X (cons x 1) (S m) (S m) ) 

I depth_consb : (1 : list)(v : V)(m,n : nat) 

(depth X 1 m n) ->(~<V>x=v)-> 

(depth X (cons v 1) (S m) n) . 

Inductive Definition depth_specCx : V; 1 : 1 i st 3 : nat->Set= 
depth_spec_intro : (m,n : nat) (depth x 1 m n)-> 

(depth_spec x 1 n). 

Goal (x : V)(l ; list)Cn ; nat & (depth_spec x 1 n)>. 
Induction 1. 

Apply exists with 0;Apply depth_spec_intro with 0; 

Apply depth^nil. 

Intros;Elim H;Intros. 

Elim p;Elim (eqV x v);Intros. 

Elim a.-Apply exists with <S m) ; 

Apply depth_spec_i ntro with (S m) ; 

Apply depth_consa with n;Auto. 

Apply exists with n; 

Apply depth__spec_i ntro with (S m) ; 

Apply depth_consb: Auto. 



Save depth_spec_f n . 

Inductive Definition depth_mi nC 1 i s : 1 i st ; def : nat ; df s_l i st : 1 i stD 

: 1 i st->nat->Prop = 

depth_nni n_n i 1 : Cdepth_min lis def dfs_list nil def) 

I depth_mi n_consa : (1 : list)<v : V> <m, n , o : nat > 

(depth_min lis def dfs_list 1 m) -><occurs_in lis v)-> 
<depth_spec v dfs_list n)->(min m n o)-> 

(depth_min lis def dfs_list <cons v 1) o) 

I depth_mi n_consb : <1 : listXv ; V><m:nat> 

<depth_min lis def dfs_iist 1 rin>-><~(occurs_in lis v>)-> 
<depth_min lis def dfs_list (cons v 1) m> . 

Goal (lis : list)(def : nat > ( df s_l i st : listXl : list) 
fn : nat I (depth_nnin lis def dfs_list 1 n>}. 

Intros ; El im l;Intros. 

Apply exist with def;Apply depth__mi n_n i 1 . 

Elim H;Elim ( occurs_i n_or_not v lis>;Intros. 

Elim (depth_spec_f n v df s_l i st ) ; I ntros . 

Elim (min_fn x xO>;Intros. 

Apply exist with xljApply depth_mi n_consa with x xO;Auto. 

Apply exist with x:Apply depth_mi n_consb ; Auto . 

Save depth_mi n_f n . 

Inductive Definition pair_scc ; Set = 

pa i r_scc_i ntro : nat-> 1 i st-> 1 1 ->pa i r_scc . 

Definition ps_num. 

Body Cp : pa i r_scc] ( <nat>Match p with 

Ca : natJCc : listlCd : ll]a>. 

Definition ps_list. 

Body Cp : pa i r_scc3 ( < 1 i st>Match p with 

Ca : nat3Cc : listDCd : ll]c>. 

Definition ps_l 1 . 

Body Cp : pa i r_scc3 ( < 1 1 >Match p with 

Ca : nat3Cc : listJCd : 113d). 

Inductive Definition df s_sccCGi n : graf 3 
: graf->V->i ist->l ist->pair_dfs-> 
pair_scc->pair_scc->nat->Prop = 
init_dfs_scc : (gin, gout, Qg : graf)(vert : V)(Qlin : list) 
(ps : pair_scc) (rm_V_graf vert gin gout)-> 

(dfs_scc Gin gin vert nil Qlin 

(pair_dfs_intro gout Qg (cons vert Qlin)) ps 
(pai r__scc_intro <S(pB__num ps)> (cons vert (ps_list ps>) 
(ps_ll ps)) (ps_num ps)) 

I cons__df s_sccl : (gin : graf ) ( verta, vertb : V) 

(Q1 in; 1 ist) ( 1 : 1 ist)(minnat,newmin : nat) 
(p:pair_dfs)(pin,pout : pair_scc) 

(dfs_scc Gin gin verta 1 Qlin p pin pout minnat)-> 

(occurs_in (pd_list p) vertb)-> 

(depth_min (ps_list pout) mi nnat <pd_I i st p) 

(cons vertb nil) newmin)-> 

(dfs__scc Gin gin verta (cons vertb 1) 



Qlin p pin pout newmin) 

I cons_df s_scc2 ; <gi n , Qg : graf ) < verta , vertb : V> 
(Qlin,la,lb.lc,lis:iist><pa.pb : pair_dfs> 

<psa,psb,psc : pa i r_scc > <mi nnata ,mi nnatb , newmi n : nat) 
Cdfs_scc Gin gin verta la Qlin pa psa psb minnata)-> 
{~(occurs_in (pd_list pa) vertb)>-> 

< edges_f rom_i n vertb <pd_grafa pa) lb)-> 

<dfs_scc Gin (pd_grafa pa) vertb lb (pd_list pa) 
pb psb psc minnatb)-> 

( edges_f rom_i n vertb Gin lc)-> 

(depth_min (ps_list psb) minnatb (pd_list pb) Ic newnnin)-> 
< <nat>(ps_num psb) =newmi n ) - > 

<rm_l_l (ps_list psb) (ps_list psc) lis)-> 

(dfs_scc Gin gin verta (cons vertb la) Qlin 

<pair_dfs_intro (pd_grafa pb) Qg (pd_list pb>) 
psa < pa i r_scc_i ntro (ps_num psc) 

(ps_list psb) <cons_ll lis (ps_ll psc))) minnata) 

I cons_df s_scc3 : < gi n , Qg : graf ) (verta . vertb : V) 
(Qlin,la,lb,lc:list)(pa.pb : pair_dfs) 

(psa, psb, psc : pai r_scc) (mi nnata, minnatb , newmi n, nm : nat) 
(dfs_scc Gin gin verta la Qlin pa psa psb minnata)-> 
(~(occurs_in (pd_list pa) vertb))-> 

( edges_f rom_i n vertb (pd_grafa pa) lb)-> 

(dfs_scc Gin (pd_grafa pa) vertb lb (pd_iist pa) 
pb psb psc minnatb)-> 

( edges_f rom_i n vertb Gin lc)-> 

(depth_min (ps_list psb) minnatb (pd_list pb) Ic newmin)-> 
(~ ( <nat>(ps_num psb)=newmin) )-> 

(min minnata newmin nm)-> 

(dfs_scc Gin gin verta (cons vertb la) Qlin 

(pai r__dfs_i ntro (pd_grafa pb) Qg (pd_list pb)) 
psa psc nm) . 

Goal (Gin, gin : graf)(x : V)(la : list)(Qlin : list) 

(p : pai r_df s ) (dfs gin x la Qlin p)->(psa:pair_scc) 

(psbspai r_sccACnm:nat I (dfs_scc Gin gin x la Qlin 

p psa psb nm)}>. 

Intros Gin gin x la Qlin p H;Elim H;Intros. 

Apply exists with (pa i r_scc_i ntro (S (ps_num psa)> 

(cons vert (ps_list psa)) (ps_ll psa)); 
Apply exist with (ps_num psa); 

Apply ini t_dfs_scc; Auto. 

Elim (HO psa); Intros. 

E 1 im pi ; Intros . 

Elim (depth_min__f n (ps_list xO) xl (pd_list pO) 

(cons vertb ni 1 )); Intros . 

Apply exists with xO; Apply exist with x2 ; 

Apply cons_df s_sccl with xl;Auto. 

Elim (HO psa); Intros. 

Elim pO; Intros. 

Elim (HI xO);Intros. 

Elim p2 ; Intros . 

Elim ( edges_f rom_i n__fn vertb Gin); Intros. 

Elim (depth_min_fn (ps_list xO) x3 (pd_list pb) x4); Intros. 



Elim (eqnat (ps_num xO) x^); Intros. 

Elim <rm_l_l_fn (ps_list x0> <ps_list x2)>; Intros. 

Apply exists with (pai r_scc_intro <ps_num x2> <ps_list x0> 

(cons_ll x6 (ps_ll x2>)>; 

Apply exist with xl ; 

Apply cons_df s_scc2 with lb x4 pa x3 x^;Auto. 

Elim <min_fn xl x5>; Intros. 

Apply exists with x2;Apply exist with x6 ; 

Apply cons__df s_scc3 with lb x4 pa xO xl x5 x5;Auto. 

Save df s__scc_prop . 

Inductive Definition df s_scc_specCg : graf ; x : V ; 1 la : 1 1 3 : Prop 
df s_scc_spec_i ntro : (p : pair^dfs)<ps : pair_scc) 

<mn : nat)<la : 1 i st ) ( edges_f rom_i n x g la)-> 

(dfs_scc g g X la nil p 

(pai r_scc_i ntro (S 0) nil nil_ll) ps mn>-> 
(<ll>lla = (cons_ll (ps_list ps> (ps_ll ps)>)-> 

(df s_scc_spec g x lla). 

Goal (G : graf>(x : V>flla : 11 I ( df s_scc_spec G x lla>3. 
Intros;Elim (edges_f rom_i n_f n x G>; Intro. 

Elim (ni l_or_not_ni 1 xO); Intro. 

Elim a; Intros . 

Apply exist with (cons_ll (cons x nil) nil_ll>. 

Elim (rm__V_graf_f n x G); Intros. 

Cut (dfs_scc G G X nil nil 

(pa i r_df s_i ntro xl nil__graf (cons x nil)) 
(pair_scc_intro (S 0) nil nil_ll) 

(pai r_scc_i ntro 

(S (ps_num (pa i r_scc_i ntro (S 0) nil nil_ll))) 

(cons X (ps_list (pa i r_scc_i ntro (S 0) nil nil_ll))) 
(ps__ll (pai r_scc_i ntro (S O) nil nil_ll))) 

(ps_num (pa i r_scc_i ntro (S O) nil nil_ll))). 

Intro H;Apply df s__scc_spec_i ntro with 

(pa i r_df s_i ntro xl nil_graf (cons x nil)) 

(pa i r_scc_i ntro 

(S (ps_num (pa i r__scc_i ntro <S 0) nil nil_ll))) 

(cons X (ps^list (pai r_scc_i ntro (S 0) nil nil_ll))) 
(ps_ll (pai r_scc_i ntro (S 0) nil nil_ll))) 

(ps_num (pai r_scc_i ntro (SO) nil nil_ll)) nil; Auto. 

Apply ini t_dfs_scc; Auto. 

Intro H;Elim (dfs_prop G x xO nil H b); Intros. 

Elim (df s_scc_prop G G x xO nil xl p 

(pair_scc_intro (S 0) nil n i 1_1 1 )); Intros . 

Elim pO ; Intros . 

Apply exist with (cons_ll (ps_list x2) (ps_ll x2 ) ) . 

Apply df s_scc__spec_i ntro with xl x2 xj xO;Auto. 

Save dfs scc_prog. 
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